In this scenario each connection coming from any server on the 10.0.11.x subnet is subnetted. Then, going down on the multimatch policy, it reaches the vip class which loadbalance on the real servers.Note that the L4-MAP-SNAT-INTERNAL must be the first class defined in the policy for have things work well.

As usual, the active one has the highest priority. Now I want this redundancy to be HOT, i.e. sessions remain up during a switchover as they are mantained in sync by the peers.Typing a show ft group det on the master ACE you could (as I did) see two types of redundancy :

Peer State : FSM_FT_STATE_STANDBY_HOT

or

Peer State : FSM_FT_STATE_STANDBY_COLD

Cold standby state means that sessions during the switchover will be dropped, and that, for some reason, configuration sync failed, so configurations are not even equal between the two peers, and further changes on the master will not be sent to the slave.

Typical reasons for configurations' sync to fail are :

A scripted probe needs its script file on the ACE's disk0:, the standby ACE may not have this file on his disk0:

Interfaces are not configured the same way (missing some interface vlan?)

Svcl groups on the Catalysts hosting the ACE may not pass the same vlans to the two peers.

However, if you made one of these mistakes, as I did, you have your standby ACE in COLD standby state, what to do now ?Even copying manually the configuration on the second ACE, it will never switch by itself in HOT standby state.

The solution is quite easy :

Solve all the issues that caused the configuration sync to fail (see above).

On the standby ACE, switch off and then on (rapidly) the ft group of the context :

Tuesday, July 10, 2007

This one's simple. Here's how I managed my first NAT to make a load balanced dual armed farm exit through the ACE towards the Internet. I had to make all of the traffic NATted on a single ip in order to make firewalls' life easy.

Monday, June 11, 2007

Let's say you have a large data center, let's say that in this data center you have lots of dual-armed load balanced serverfarms. It could happen that these servers need to call each other's balanced services. Here's how this could be accomplished with very light configuration on real servers.

Scenario :

The BLUE-SERVERFARM real servers needs to query a web service located on the YELLOW-SERVERFARM, on tcp port 2000.All of the real servers use the "upper" interface (vlan 101) to act as servers, i.e. to answer clients' queries coming from the ACE.The "internal" interface (vlan 102) is used by the servers when they act as client of someone else's service.Easy to configure this, matter of routes on the servers. The default gateway is always the ACE, there's a static route on the internal interface for all the ips the server could query acting as a client.

Without configuring Source NAT con the ACE, all connections fail, because of asymmetric response from servers of the YELLOW-SERVERFARM.When a connection arrives from the ACE, the source ip is the internal interface of the client server. As this ip is on a lan directly connected on the destination server, the response will return over the INTERNAL, not over the same route of the request.

Solution:Source natting this requests on the ACE will cause the destination server not to know as directly connected the source ip, answering on the default gateway (ACE) and so following the same path of the request.The simplest way I've found is to reserve a new virtual address only for requests coming from the servers on the same lan, as described above. So clients will continue query the service on the VIP 10.20.0.2 port 2000, while servers on the same lan will query the same service on the same port but on VIP 10.20.0.20, being Source-NATted with an IP from the SNATPOOL.

The real server of the YELLOW-SERVERFARM responding to the request, seeing it from a SNATted address will route the response via the default gateway (ACE) which will send back packets on the same path of the request.

In order to make Passive FTP connection work, with the firewall checking consistency of source and destination addresses, youll need to change the FTP server configuration.On the frox server there's a configuration parameter "PASV Reply Address" that should be set to the VIP (10.0.20.1) in order to have the FTP server call back the client (passive mode) with the same address the firewall see for the active client-server communication.

Writing my ip address management software I needed something to order my ips in sql.The dotted notation wasn't so efficient, so, I needed to convert it in an integer.Wandering on the Net, and with the CCNA study guide open, here's the result, starting from a script read somewhere...